Creepy Email Spam From Criteo ⇥ medium.com

My favourite creepy ad retargeting company strikes again. Fred Benenson:

I recently fell down a deep dark hole on the internet.

It began by researching a part for my central air conditioning but ended up with me stumbling upon a terrible development in modern advertising: spam driven by my browsing habits.

If that sounds like a privacy invading hellscape you’d like to avoid, read on, dear reader.

This is super creepy. I can’t imagine anyone responding positively to receiving unsolicited email from websites that they’ve merely browsed.

Criteo is a French company. As such, it falls under E.U. privacy and communications laws — specifically, the Directive on Privacy and Electronic Communications, which prohibits direct marketing emails without an explicit opt-in. However, these restrictions are relaxed if those contact details are used to market products that are similar to a sale made in a previously-established customer relationship. Perhaps that has unintentionally incentivized more targeted advertising. There are also no regulations that explicitly prohibit buying or selling lists of email addresses.

Even if all of this is fine, legally speaking, it seems unambiguously creepy and unwanted from a moral or ethical standpoint. Users need better privacy protections to prevent the sharing of email lists, and restrict email communications to those solely related to individual, direct requests.

Update: Benenson is perhaps inaccurate with this statement:

I am signed up to some platform which is considered a Criteo partner. This could possibly be Facebook since Criteo boasts a “close partnership” with them. That platform actually has my email address and my consent to send me email.

While Criteo does say that they use Facebook and Instagram data for personalization, Facebook’s data use policy says that they require opt-in for third-parties’ use of email addresses:

We do not share information that personally identifies you (personally identifiable information is information like name or email address that can by itself be used to contact you or identifies who you are) with advertising, measurement or analytics partners unless you give us permission.

Unfortunately, as Criteo fails to disclose precisely where an email address in their system originated, it is difficult to trace it back to a specific instance. But, by blending together lots of information across multiple sessions into a single advertising profile, Criteo has created a system where private data is shared and marketed against in ways that are hard to imagine for most users. The ambiguity of granting permission — and how far that permission extends — is why strong privacy legislation is needed.